...
Verify the validity of access token
Return 401 in case validation fails
Check user scopes in order to perform this action (scope = 'merge_request:write')
Return 403 in case invalid scope(s)
Check the employee has created this merge request. Thus select inserted_by from il.merge_requests of this merge request and compare it with user_id from the token.
Check that client_id from the token maches with il.merge_requests.legal_entity_id
If not match - return 422 error (User doesn’t belong to legal entity where the merge request was created)
Validate digital signature
...
Validate preperson as on create merge request process, but w/o searching pending merge requests and episodes.
Validate employee
Validate employee as described on reject merge request process.
Save signed merge request to media storage
...